NameHero has a partnership with DropMySite to backup your website on a daily basis. One of the advantages of this, is that it allows you to see which files are modified – particularly, the error logs can be quite useful. Recently, this allowed me to isolate a recurring error logged in a “php_errorlog” file that looks like this:
As you can see, my site WP-Tweaks was throwing an error that said:
“Uncaught Error: Class ‘getid3_handler’ not found” in the file “module.audio.ac3.php”. Doing a Google search for the result, leads to this bug report page, which suggests a fix for WordPress users by securing the .htaccess file to disallow direct PHP execution in the wp-includes folder. Unfortunately, the page located here doesn’t fix the problem. Specifically, this line:
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
Only blocks PHP files directly inside the wp-includes folder. It doesn’t block files inside the sub folders. To do that, the line needs to be:
RewriteRule ^wp-includes\/.*\.php$ - [F,L]
Creating .htaccess Rules to Protect ALL PHP Files in Wp-Includes
To test this regex expression check out this amazing tool regex101.com – I’ve saved the modified regex so you can see how it blocks PHP files both directly inside wp-includes, as well as subfolders:
You can also see that it doesn’t block other files like CSS files that might need to be called directly. Only PHP files, as expected.
For reference, the previous regex as given on the WordPress support pages doesn’t block all PHP files. Here’s a screenshot of the old regex:
You can see that while this regex matches “somephpfile.php” directly inside wp-includes, it doesn’t match the file that actually caused the error – wp-includes/ID3/module.audio.ac3.
Final .htaccess Code
So here’s the modified code that you need to insert into the top lines of .htaccess OUTSIDE the #Begin WordPress tags:
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes\/.*\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
If you paste this code, it’ll keep your wp-includes folder secure. Anyone who tries to access a file inside it will get a “403” Forbidden message like this:
And that’s it!
Bottom Line
To draw the attention of the WordPress community to this problem, I posted a note on the forums. The moderator replied back saying that there was no problem if you wanted to block all PHP code like this. Even though he said that it wasn’t necessarily a security concern, he mentioned there might be future problems if someone were to hack your site and run the malicious PHP files.
So better safe than sorry right?
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply